Configuring Flash for Cross-domain Access
By default, the OBS system is configured to support cross-domain access using the root domain name. This allows access from all domains, exposing clients to attacks.
To address this issue, you can create a crossdomain.xml file with specific rules in the bucket for each client, and add Security.loadPolicyFile("http://bucket.obs.cn-north-4.myhuaweicloud.com/crossdomain.xml") in the flash code of the file to prevent attacks.
crossdomain.xml needs to comply with the XML syntax rules, and there is only one root node cross-domain-policy without any property. The root node can contain only the following sub-nodes: site-control, allow-access-from, allow-access-from-identity, and allow-http-request-headers-from. The following table lists description about the sub-nodes.
|
Name |
Description |
|---|---|
|
site-control |
Checks the attribute value and determines whether other policy files can be loaded. The attribute values can be: none: loadPolicyFile cannot be used to load any policy file. master-only: Only the master policy file [default] can be used. by-content-type: Only loadPolicyFile can be used to load the file whose Content-Type is text/x-cross-domain-policy over HTTP/HTTPS as the cross-domain policy file. by-ftp-filename: Only loadPolicyFile can be used to load file crossdomain.xml over FTP as the cross-domain policy file. all: loadPolicyFile can be used to load any file of the target domain as the cross-domain policy file. |
|
allow-access-from |
Checks the attribute value and determines the source domain of the flash file that can access content of the domain. The attribute values can be: domain: This property specifies an IP address, a domain, or a wildcard domain (any domain). Only domains specified in domain have the permission to access the content of the domain using the flash file. to-ports: Socket connection ports that can access content of the domain. secure: Indicates whether information is transmitted through encryption. |
|
allow-access-from-identity |
Allows a source domain that has a specific certificate to access resources in this domain. |
|
allow-http-request-headers-from |
Grants permission to a third-party domain to sent data to the domain in HTTP header format. The attribute values can be: domain: This property specifies an IP address, a domain, or a wildcard domain (any domain). Only domains specified in domain have the permission to access the content of the domain using the flash file. headers: A list separated by commas (,), indicating HTTP headers to be sent. Wildcard (*) can be used to indicate the HTTP header. secure: Indicates whether information is transmitted through encryption. |
Last Article: Configuring static website hosting
Next Article: Cross-Region Replication
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.